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Terminal, data distribution system comprising such a terminal 
and method, of re- transmitting digital data. 
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Background of the invention 



The invention reflates to the area of transcontrol at 



network boundaries. 



In particular, t^he invention relates to a terminal for 
receiving and re-transmittfing information, comprising a first 
network adapter for receiving a primary data stream in which the 

encoded , encrypted according to a key 



information has been 
scheme from a primary 
first format, 



transmitter through a first network in a 



! 



an arrangement for receiving entitlement messages , enabling an 
authorised receiver to decrypt the encrypted data stream, and 

at least one further network adapter for connection to a secon- 

J 

dary network, wherein the terminal is configured to re-transmit 
at least part of the information in at least one secondary data 
stream in a second format differing from the first format, 

through the second networlc 

3 



to at least one secondary terminal 



connected to the secondary network. 

The invention flrther' relates to a digital data distri- 



bution system, comprising 
transmitter, connected to 



o a 



a primary network, a primary data 
the primary network and arranged to 



encoded in- an encrypted primary data stream 
tey scheme through the primary network 



transmit information 
encrypted according 
in a first format, 

an entitlement message transmitter, arranged to transmit enti- 
tlement messages enabling an authorised receiver to decrypt the 
encrypted data strean, 
a secondary network, 
one or more secondary terminals", connected to the secondary net- 
work, and 

a primary terminal, (connected to the first and the second net- 
work, arranged to receivd the encrypted data stream from the 
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primary data transmitter through; the first network and to re- 
transmit at least part of the inf ormation, encoded in at least 
one secondary data stream in a second format, differing from the 
first format, to one or more secondary terminals connected to 
the secondary network* j; 

The invention also relates to a method of receiving and 
re-transmitting digital data, comprising: 

receiving information encoded in an encrypted primary data 
stream, encrypted according to d key scheme, from a primary 
transmitter through a primary network in a first format, 
receiving entitlement messages, t| enabling an authorised receiver 
to decrypt the encrypted data sjtream, 

re-transmitting at least part of the information, encoded in at 
least one secondary data stream!'.: in a second format, differing 
from the first format, to at ledst one secondary terminal 
through a secondary network. 

Furthermore, the invention relates to a computer pro- 
gram suitable for loading into ,a terminal for receiving and re- 
transmitting digital data, comprising 

a processor, memory, a first network adapter for receiving a 
data stream from a primary transmitter through a first network 
in a first format, an arrangement for receiving entitlement mes- 
sages,, enabling an authorised Receiver to decrypt an encrypted 
data stream, and at least one farther network adapter for con- 
nection to a secondary network." 

• Examples of such a terminal, system and method are 
known, e.g. from EP-A-1 089 47GL This publication discloses a 
set -top fcox that is connected tip a television receiver through a 
video cable and an IEEE 1394 caala. A front end circuit extracts 
a broadcast signal corresponding to the station selection of a 
user, from a DSS (Direct Satellite System) input from an antenna 
and "outputs it to a descramble|circuit . A charging circuit sup- 
plies jthe descramble. circuit with the decoding key used for 
scra'mb'lej release. A multiplex editing circuit rearranges the 
time'st'amp and packet' length of Jjjan HD broadcast signal (which is 
MPEG encpded) from the descramMLe circuit into the structure of 
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a transport stream defined in IEEE 13 94 and then outputs it to 
an encryption circuit. When the broadcast signal concerned is 
pay per view, the encryption circuit encrypts the transport 
stream from the multiplex editing circuit, A controller controls 
a drive to read out a control program recorded in a magnetic 
disc, an optical disc, a magneto-optical diBC or a semiconductor 
memory, and controls each circuit of the set top box on the ba- 



sis of the control program thus 



read out and a command input 



from a user or the like. The charging circuit is not connected 
to the encryption circuit. 

When the known terminal is employed, the entity trans- 
mitting data from the primary transmitter looses control the 
moment the data is decrypted in the primary terminal. Subse- 
quently, even though the decrypted data is re-encrypted, this 
entity no longer controls access to the data. The operator of 
the primary terminal that is used to receive and re-transmit the 
data through the secondary network can determine which secondary- 
receiver he will enable to decrypt the re-encrypted data stream, 
by sending them the key used to re -encrypt the data stream. 



summary of 



the invention 



The invention provides a terminal, system and method of 
the types mentioned above, that enable a primary provider of 
digital data to retain control over the further distribution of 
the data through secondary networks. 

'J The invention achieves this by providing a terminal for 
receiving and re- transmitting information, comprising a first 
network adapter for receiving a primary data stream in which the 
information has been encoded, encrypted according to a key 
schemej from a primary transmitter through a first network in a 
first ,jf ormat , 

an arrangement for receiving entitlement messages, enabling an 
authorised receiver to decrypt the encrypted data stream, and 
at least one further network adapter for connection to a secon- 
dary network, wherein the terminal is configured to re-transmit 
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at leas,t part of the information in at least one secondary data 
stream in a second format, differing from the first format , 
through the second network to at least one secondary terminal 
connected to the secondary network, wherein the terminal is con- 
5 figured to transmit the secondary data stream (s) encrypted 

according to the same key scheme and to forward received enti- 
tlement messages that enable an authorised receiver to decrypt 
the secondary data stream(s] to the secondary terminal (s) . 

■i Because forwarded entitlement messages (i,e. generated 
10 by the 'source providing the information to the terminal) are 
used to enable the secondary receivers to decrypt the re- 
transmitted data stream, the primary data provider retains con- 
trol over the further distribution of the data. 

J Preferably, the terminal is arranged to decrypt the re- 
15 ceived primary data stream and to encrypt the secondary data 
stream(s) according to the key scheme. 

Thus, the terminal may access the data comprised in the 
received data stream, for example certain elementary streams in 
a multiplexed stream. In this way, it can access information, 
20 for example tables of identifiers identifying elementary 

streams, which it may make use of to decide which parts of the 
received data stream to forward. 

According to a further aspect of the invention, a digi- 
tal da.ta distribution system is provided, comprising a primary 
25 network, a primary data transmitter, connected to the primary 
network and arranged to transmit information encoded in an en- 
crypted primary data stream encrypted according to a key scheme 
through the primary network in a first format, 

an entitlement message transmitter, arranged to transmit enti- 
3 0 tlemeftt messages enabling an authorised receiver to decrypt the 
encrypted data stream, 
a secondary network, 

one or more secondary terminals, connected to the secondary net- 
work, il'iand 

35 a primary terminal, connected to the first and the second net- 
work, ^arranged to receive the encrypted data stream from the 



i ! 
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primar^, data transmitter through the first network and to re- 

i jj 

transmit at least part of the information, encoded in at least 

i 

one secondary data stream in a second format, differing from the 
first I'ormat, to one or more secondary terminals connected to 
5 the secondary network, wherein the primary terminal is config- 



ured 



to transmit the secondary data stream (s) encrypted 



according to the same key scheme and to forward received enti- 
tlement messages that enable an authorised receiver to decrypt 
the secondary data stream(s) to the secondary terminal (s) . 

j j; The system enables the entity using the primary data 
transmitter to keep control of the data being retransmitted to 
the secondary terminal (s) - 

| || According to another aspect of the invention, a method 
of receiving and re- transmitting digital data is provided, com- 
prising: 

receiving information encoded in an encrypted primary data 
streamjl encrypted according to a key scheme from a primary trans- 
mitterjj through a primary network in a first format, 
receiving entitlement messages, enabling an authorised receiver 
to decjrypt the encrypted data stream, 

re- transmit ting at least part of the information, encoded in at 
least pne secondary data stream in a second format, differing 
f romj t'he first format, to at least one secondary terminal 
throiigjh a secondary network, wherein the secondary data 
streiamj(s) are transmitted encrypted according to the same key 
scheme:] and received entitlement messages that enable an author- 
ised receiver to decrypt the secondary data stream (s) are 
forwarded to the secondary terminal (s) . 

' This is the method carried out by the terminal accord- 

30 ing itc the invention - 

i According to a last aspect of the invention, a computer 

prograU is provided, suitable for loading into a terminal for 
i , I 

receiving and re -transmit ting digital data, comprising 
a processor , memory, a first network adapter for receiving a 

35 



data stream from a primary transmitter through a first network 
in a first format, an arrangement for receiving entitlement mes- 
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sages, enabling an authorised receiver to decrypt an encrypted 
data stream, and at least one further network adapter for con- 
nection to a secondary network, so that the terminal programmed 
in this way is provided with the functionality of a terminal ac- 
5 cording to the invent ion - 

iThus, a terminal with the right hardware is easily 
to function as a terminal according to the invention, 
providing content providers with more certainty that they con- 
trol the distribution of the content up to the end user, 
10 The invention will now be explained in further detail 

with reference to the accompanying drawings. 

Brief description of the drawings 

15 Fig. l gives a schematic overview of a digital broad- 

casting architecture, in which the invention is employed. 

Fig. 2 is a schematic diagram showing the composition 
of Transport Stream Packets. 

Fig. 3 is a schematic diagram showing some components 
20 of a terminal according to the invention. 

Fig. 4 is a schematic diagram showing the composition 
of a d,ata packet generated by. a terminal according to the inven- 
tion. 



Specific description 



Referring to Fig. 1, the invention provides a primary 
receiver 1, which is used as a gateway between two networks, 
namely: a delivery network and a home network 2, in this example. 
30 The iprimary receiver 1 receives the data in a first format, and 
retransmits it in a second format. Although the invention is not 
limited to a single type of data, this description will focus on 
an example wherein MPEG-2 Transport Stream packets are broadcast 
to the' primary receiver l, which retransmits them to a plurality 
35 of secondary receivers through the home network 2. Examples of 
secondary receivers, shown in Fig. 1, are a set -top box 3, con- 
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nected to an analogue television set 4, a digital television 
set 5 and a personal computer 6, equipped with a network card, ""■ 
media player and smart card reader 7. The invention is not lim- 
ited to" use in a broadcast environment; the primary receiver 1 
5 may also receive the digital data from a source over a point-to- 
point connection. 

The MPEG-2 standard I SO/ I EC 13818 describes the method 
of data encoding and transport" in some detail . This description 
will primarily recount those aspects that are relevant to the 
10 invention. Reference may be had to the standard for further de- 
tails. 

In Fig, 1, a broadcast source 8 encodes an elementary 
stream 9 into a single programme MPEG-2 transport stream 10. An 
elementary stream is a single digitally-coded and possibly MPEG- 
15 compressed component of a programme, for example, video or au- 
dio. Data from several elementary streams belonging to a 
programme are carried in Programme Elementary Stream (PBS) pack- 
ets 11 (see Fig, 2) . A programme corresponds to a channel in 
analogue broadcasting. The PES packet 11 comprises a PES packet 



20 header 



12 and a PES packet payload 13 , Data from the elementary 



streams are multiplexed in the PES packets 11, with the PES 
packet : header 12 indicating wnich elementary stream the PES 
packet ■ payload 13 belongs to. ! 

The PES packets 11 cjre carried by MPEG -transport stream 

25 (TS) packets 14 (Fig. 2) . An JjIPEG- multiplexer 15 (Fig- 1} multi- 
plexed: multiple transport streams into one multi-program 
transport stream, so that multiple programmes are carried in one 
stream. Each TS packet 14 (Fig. 2) comprises a TS packet 
headi£X'l6 and a TS packet payload 17. In addition, an adaptation 

30 field 18 ensures that all TS packets 14 are of the same length, 
regardless of the length of tiie PES packet 11 they are carrying. 
The TS' packet header 16 comprises, amongst others, a packet 
identifier (PID) 19. The packet identifier 19 is a unique inte- 
ger :value used to associate elementary streams of a program in a 

35 single! °r multi -programme transport stream , 
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i A Programme Association Table (PAT) in the TS pack- 

ets 14 with PID-value 0 comprises a list of all the programmes 
available in the transport stream. Each programme in the PAT is 
associated with a Programme Map Table (PMT) , which gives details 
5 about the programme and the elementary streams of which it is 
compris;ed. 

Referring again to Fig. 1, a network adapter 20 con- 
verts the TS packets 14 into a format suitable for transmission 
through a primary network 21, to a regional centre 22. The re- 

10 gional -centre receives the transport stream through a network 

adapter 23, A bitstream splicer/multiplexer 24 is used to splice 
in other transport streams, which may include Service Informa- 
tion' (SI) , an Electronic Program Guide (EPG) and teletext ♦ The 
bitstream splicer/multiplexer 24 updates the FID values and the 

15 P1VIT and PAT, to avoid conflicting values. The resultant MPEG 
transport stream is then linked up to a satellite transmit- 
ter 25, a terrestrial transmitter 26 or a cable transmitter 27, 
through the primary network 21, using suitable network adapt- 
ers 28 1 and 29 . 

20 The satellite, terrestrial or cable network forms a de- 

livery network, for distributing the data to the homes of 
receivers. Other suitable types of network are those employing 
fibre to the home connections, ADSL {Asynchronous Digital Sub- 
scriber Line), Ethernet connections, etc. In the context of the 

25 presjent invention, the distribution network will be referred to 
as "the; first network. 

! i j Either the broadcast source 8 or the regional cen- 
tre !22.i, or both, may use a conditional access system to prevent 

unauthorised access to the contents of the data stream that is 

■I j ; 

30 ljinked[ up:. For this purpose, either the PES packet payloads 13 

ojr tjfaej TS; packet payloads 17 are scrambled. Note that, in a mul- 
tiplexed transport stream, which in fact comprises multiple 
nspprt streams, each 1 carrying one elementary stream, only a 
set; of; the transport streams may be scrambled. A field in the 



3 5 EteS 
Ahe 



packet header 12 or TS packet header 16 indicates whether 

« i 

payload of that particular packet is encrypted or not. To 
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avoid overcomplicating the description, it will be assumed that 
scrjanjbling: is carried out at the transport stream level. Pref- 
erablly'a symmetric encryption algorithm/ such as DES, is used to 
scramble the TS packet payloads 17. 

; j i It is noted that it is possible to scramble all the TS 
packet Jpayloads 17 with the same key and/ or algorithm, regard- 
less lofi PID- value, or to use a different key and/or algorithm 
for each elementary stream or. for each set of elementary streams 
belonging to one programme. Assuming that the regional centre 22 
is jtlfie ,CA-system manager, it will splice in one or more trans- 
port i streams that contain entitlement control messages. It will 
additionally modify the PMT for the scrambled programme, by add- 
ing to it a CA-descriptor, detailing the type of CA system being 
usedj and the PID of the entitlement messages. The entitlement 
control messages comprise the ! control word, the key used for 
scrambling, and da -scrambling'. The entitlement control messages 
(EGMsJ. are themselves encrypted, with a different key. A further 
data 1 - stream comprises entitlement management messages (EMMs) , 
these enable authorised subscribers or groups of subscribers to 
decrypt the ECMs, from which they can retrieve the control word. 

Returning to Fig. l!, the primary receiver 1 receives 
the MPEG-2 transport stream by means of a satellite dish 30, to 
wiich it is connected* The transport stream is in a format suit- 
aDlejj for transmission through the satellite delivery network, 
fpr jexample conformant to DVB-S (Digital Video Broadcasting- 
SateJLlite) . The primary receiver l makes part or all of the data 
ijvaijlal " 



aj^adjlable- to end devices through the home network 2, through 

13 

I h .1 ' I 



whiqh :data is transmitted in ia different format. The primary re- 



jLvpr' 1 is thus a delivery network gateway: a device that is 
ionnjected: to one or more delivery networks and one or more home 
fwprk segments. It includes one or more connecting components 
dha,t it can interconnect tihe delivery network (i.e. the sat- 
lliijt^! nejtwork) with the ■ home network segments on any of the osi 
aye;rsi. It can function as ajbridge or router, interconnecting 
different; 1 link layer technologies, or it can act as a gateway, 
so' providing functionality j on the OSI layer 4 and above. Con- 
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sejguently, the term format means the manner in which the data is 
adapted to conform to the protocol stack of a certain type of 



netwi 



A first network (the \ satellite network) has a different 
protocol stack than the home network 2, meaning that it differs 
at orie or more of the link layer level, the network layer level 
or tlie transport layer level. Note that this means that the pri- 
mary | receiver 1 must, where data is transmitted in frames and/or 
packets, add, remove or modify packet headers, and/or re-segment 
packet payloads to conform to the protocol stack of the home 
network 2 . The term packet refers to a short section of data 
that lis transmitted as a unit, in a communications network. It 



encompasses packets at levels below that of the network layer, 
whidtj* are commonly known as frames, as well as the types of 
packets known as cells. A packet comprises a header or trailer 
and a payload. Packet format refers' to the composition of the 
packet in terms of the size of the payload, and in terms of the 



varibus fields that are present in the header/ trailer . 

jj Fig. 3 shows schematically the components of the pri- 

mary)! receiver i. it comprises a tuner/ demodulator 31, which 
removes the carrier wave to retrieve the base band signal com- 
prising the MPEG transport stream. The primary receiver 1 uses a 
processor 32 and memory 33 to process the packets. The proces- 
sor |32 is connected to a system bus 34- In this example, a smart 

i u. 

cardj reader 35, a modem 3 6 arid an Ethernet card 37 are connected 
to ( the system bus 34. The modem 36 and Ethernet card 37 function 
as j network adapters, i.e. they, together with appropriate soft- 
wared running on the processor, implement a link interface, 
erncLfcfUing data to be exchanged over a network according to the 
correct protocol for that network. A smart card 38 is inserted 
i|ntd| the smart card reader 3 5 to provide authorisation for re- 
ceiving one or more programmes. As 'an alternative to the smart 
card 38, another type of portable security device, for example a 
USB dongle or PCMCIA format card may be used. A software - 
implemented security module for providing authorisation is also 
conceivable, in this example! the home network 2 is an Ethernet, 



e . 



the 



set -top box 3, digital television set 5 and personal 
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computer 6 ; also comprise Ethernet cards. It is, however, 
st'resjsed that any other type of home network could be employed, 
fcfr Example one using USB connections, IEEE 1394, IEEE 602-11, 
etc. j 

! According to the invention, the primary receiver l re- 
ceives the transport stream in the DVB-S format. Then, using the 
PIDsjin the PAT and PMT, it determines which elementary streams 
comprise the EMMs and ECMs, and which comprise the elementary 
streams comprising the content, data, EPG data, possibly IP data, 
eic.jsome or all of the transport streams comprising the latter 
are descrambled, insofar as the smart card 3 3 comprises informa- 
tion authorising the primary receiver 1 to retrieve appropriate 
control words. For this purpose, the smart card 38 processes the 
ECMs! to return the control word to the processor 32, which car- 
ries! out the descrambling. j 

:, | Then, the decrypted idata streams are re-packetised, 

Lsj means that they are divided into payloads of the appropri- 

;e length, and that the necessary headers, defined in the 

i i 
rotbcDls used in the home network 2 are added. Then, these 
i: I i 
pjackjsts are re-encrypted. The i same control words are used to re- 

epcrypt the packets in the data packet format of the home net- 

workl 2. Because the same key scheme is used, the data in the 

transport 'streams comprising the entitlement messages is simply 

forwarded. No new entitlement j messages are formed. 

, -It is noted that the primary receiver 1 does not differ 

substantially from the secondary receivers, in that it cannot 

decrypt 



the entitlement messages or descramble the content data 
without (the smart card 38. It! is not able to form its own enti- 
tjjletrent messages, either. This has the twofold advantage that 
3 0 tjhe primary receiver l is relatively simple and that the re- 
gional centre is assured that! its CA system remains in use to 
• I'll'' I 1 

protect jthe content data against unauthorised access. 

,' 'The primary receiver' l re~packetises the ts packets 14 
into the 1 , format for the home network 2. In this example, the 
3 5 |ome network protocol stack uses Ethernet at the link layer 
|evel, IP at the network layejri level and UDP at the transport 
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layer level. Fig. 4 shows the composition of the packets trans 



mitted through the home network 
TS -packets 14 form the payload 
an IP datagram) . The IP packet) 



2 , Several , e.g. about seven , 
of an IP packet 39 (also known as 



39 further comprises a UDP 

header 40 and an IP header 41 ;j The IP header 41 comprises the IP 

I' -ill 
address of the secondary receiver for which the IP packet 3 9 is 



intended, or it may comprise a' 
packet 3 9 forms the payload of! 



■multicast address. The IP 

a.n Ethernet frame 42, comprising 



a -preamble 43, a destination alddress 44, a source address 45 , a 
type 46 and a CRC checksum 47 [\ The destination address 44 is a 
broadcast, multicast or unicasjt address, used by the secondary 
receivers to retrieve the Ethernet frames intended for them. It 
is noted that it would also have been possible to directly en- 



aiding IP and UDP headers 41,?£ ; C 



psulate the TS packets 14 in 



ever, makes it possible to trar 
Preferably, the prim; 



the Ethernet frame 42, without 
Using IP over Ethernet, how- 
smit, the data over a wider range, 
ry receiver 1 uses a form of en- 
cryption under the stack, as described more fully in applicant's 
co-pending international application WO 02/07378. 

menti of the invention, the se con- 



In a preferred embo 

receivers are able to sejid selection commands to the 

Jl 



dLry 

iimary. receiver 1 through thje 
ese selection commands-, the primary receiver 1 filters out 
™ose elementary streams in t!he mul[ti- programme transport stream 



hat are not requested by any 



tJhus 



tjo, each secondary receiver. 



The secondary receivers elach also comprise a smart card 



Reader: An inserted smart . irk 



om the stream of data received from the primary receiver 1, 



homej network 2 . In response to 



of the secondary receivers. It is 



able to transmit only a Isubsebof elementary data streams 



ahd to 'descramble certain element airy streams 



The primary receiver 



i 



enables them to retrieve the ECMs 



i 



sjajrried in PPP packets ox AT! 



1 can also receive the TS packets 



losing th? modem 36 ♦ In this case, tihe TS packets may already be 
encapsulated in IP packets. However, instead of being encapsu- 
lated in Ethernet packets, the 



received IP packets are typically 
bell's at the link layer level. The 



04/12 '02 16:18 FAX 0031205110931 



10 



15 



20 



25 



30 



DE VRIES & METMAN 



13 



■* EPO RIJSWIJK (g]019 

019 04.12.2002 16:20:07 



primary [receiver 1 must therefore carry out the method according 



to, the invention to re- transmit 
frame f drmat . 

: ! As described above, 

packetises the decrypted data 



the 



received data in Ethernet 



invention, a further variant a 
\ | | 

ble. in (this variant, the prin 



'I : llM L 

receive :a primary data stream] jpbmpr is ing information encoded in 

first : format , to re-encode iJhje information in a second format, 



he primary receiver 1 re- 
preans. Within the scope of the 
I the primary receiver 1 is possi- 
ry receiver 1 is arranged to 



i 1 5 1 

and to include data comprising.'; 

least one of the secondary datfa 

transcoding may entail de-com;^r 

ceived data. Aa an example, the 

I T 

demultiplex a transport stream 1 ! 
tary stream encoded and comprsp 
standard, de- compress the enc 



tpranscoded video data is then 



the re -encoded information in at 

streams. This go-called 
essing and re -compressing the re- 

prinary receiver 1 may 
to retrieve a programme elemen- 



sed 



ijjded video data, and re -compress 
and encode the video data according to the MPEG-2 standard. The 



raulti! 



plexed with the other associ- 



according to the MPEG-4 



aped programme elementary stre'ams containing audio and data into 
ah transport stream which is plicketised and transmitted to one or 
more of \ the secondary receiver;. Of i course, transcoding from 
MPEG-4 to MPEG-2 is just an advantageous example. Where data is 
toeing rp-transmitted, the prinis.ry receiver l can also be ar- 
anged jto transcode still images, for example from JPEG to GIF. 
^ese embodiments have the advantageous effect that it is possi- 

I II i! ■ 

le to continue to use legacy|lreceiJvers as secondary receivers, 



i'f a broadcaster has switchedi'to a 




by the secondary irecei 
in the primary receive 
compression, is that a 



|he re- 

bfndwidths available on 5 the h 
network 



given a 



different format not sup- 
ers . It is then only necessary to 
1. Another effect, especially of 
pount can be taken of different 
•me network 2 and the distribution 



; Preferably, the prouder j of the primary data stream is 
further instrument tofjcontrol the secondary distribution 
35 of" information. One way i of doing this is to provide a plurality 



bfj different entitlement messages, 



each enabling an authorised 
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receiver to decrypt an encrypted dajja stream encrypted according 
tpj the key scheme, wherein eacjfi' entitlement message comprises a 
specification of at least one terminal „ In other words , several 

oid the ECMs sent from the broadcast!} source 8 to the primary re- 

'I 1 • \ ! 

ce'iver 1 may contain the same jjppntrpl word, but a different 

specification of a receiver (ejitherlj the type or an identifica- 
tion of j one or more specific devices) . The primary receiver 

retrieves the 2CMs specifying Ji'tseljE, in order to decrypt the 

i ' 1 j ij 

received data stream* It forwards to each secondary receiver 

o:ily those ECMs comprising a Specification to which that secon- 
dary' receiver conforms. <| j] 

jjj i A further instrument! to control distribution involves 

transmitting messages authorising transmission of at least one 
of the secondary data streams |to ad least one of the secondary 
terminals. The message can beja sir^le message specifying only 
^ether | re -distribution is al lowed jkt all, or it can limit re- 
distribution to certain typesjfof secondary receivers or a cer- 
tain maximum number of secondary receivers. The primary 



receiver 1 is arranged to transmit 



1 



t reams 



to those secondary terminal 



s been received. In combination tiith device-specific ECMs, the 



primary 



receiver 1 can, for ejfampli 



ECMs, tD restrict the number s'f secondary receivers that can si- 
multaneously access theidatajj 

i <j The invention , is no& jlim^ted to the described embodi- 
ments, but can be varied in a.||numb€r of ways within the scope of 

the scrambled data may corn- 
primary receiver 1 may 



prise II 



t 



tjhe [attached claims. For instance, | 

packets. In this case'j th 

III 

pacj 



;jrfemove • jthe encapsulation in % 
the data. 



I 



>nly those secondary data 
s for which an authorisation 



filter out certain of the 



,ets before re -transmitting 



04/12 02 16:18 FAX 0031205110931 



10 



15 



20 



25 



30 



DE VRIES & METMAN 



15 



OUAIMS 



EPO RIJSWIJK 0021 

021 04.12.2002 16:21:01 



Terminal for rejceiviijg and re -transmitting infor- 

adapter (31, 3 6) for 
t which the information has 
t ng jfco a key scheme from a pri- 
-ougli a first network in a first 



mation, comprising a first network 
receiving a primary data stream in|j 
heem encoded, encrypted; acco: 
bart transmitter (25,26,27) | 
jformat, 

ia!n arrangement for receiving 

i } i 

Authorised receiver to dec 



alt least one further network 




secondary network (2) , whereinj the) 



2 . Terminal accord 



ititflement messages, enabling an 
the! encrypted data stream, and 
Laptjgr (37) for connection to a 



re-transmit at least part of||tiie 4** ormation in at least one 
liecpndary data stream iin a sj lond Eormat , differing from the 
! first format, through the aegjnd ifctwork (2) to at least one 

i t ~ 



terminal is configured to 



secondary terminal (3,5,6) c|nnectjkd to the secondary net- 
work. (2), wherein the termini ] is Configured to transmit the 
•secondary data stream(s) enc'Jpted ! according to the same key 
scheme and to forward receiv|il entitlement messages that enable 
an 'authorised receiver to dJJypt the secondary data stream(s) 
;,io [the secondary terminal (s)| j 3,5j6) . 



h 1» . 



na]J is arranged to decrypt tj 
,1:o jencrypt the secondary da 
; S cljeme. \ ' , 

: j 3 . Terminal accordi 

,'Jial is arranged to de-multirii:bc aj decrypted data stream 
['comprising multiple) elementa Jr 
! information encoded! in a subsje 



Terminal laccoa 



I i 

wherein the terminal is arr 



:nary data stream inj a rirst 



claim L, wherein the termi- 



received primary data stream and 

strlam(s) according to the key 

! : 



ng claim 2, wherein the termi- 
: a | decrypted data stream 
data streams, and to re-transmit 



jit oi j the elementary data streams 
^,ng \o claim 3, wherein the termi- 



nal is arranged to receive s ipLects pn commands from the 
.secondary terminals!, aiid to j Jelecj .! the elementary data streams 
comprised in the subset" accc> 4ingj to the selection commands. 

5. Terminal jaccoi i Cjlng to any one of claims 1-4, 

'aflged j :b receive the encrypted pr±- 
at a jacket format, and to transmit 
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streams in a second data packet 



Terminal according to any one of claims 1-4 and 5, 



yaiheirein the terminal is ( arrang 



ed t 



? decrypt a payload (13,17) 



5 jpff a received encrypted! data p*cke: (14,39,42) in the first 

p.acket format , to form clfear sdata from the decrypted pay- 
jioad, and to subsequently re-pfackeiise the clear data to 
conform to the second data rjaqket Format. 

| 7. Terminal accorjdiig t : claim 2 or claim 2 and claim 

5 or 6, wherein the terminal is arranged to de-multiplex an en- 



C^YPted data stream comprising mu 
data streams , and to retransmit a 



i 

1st reams. 



Terminal accordijhg 



:diinc 



i i 1 j 

wherein the terminal is arranged 
dresses (44) , identifying one or 
terminals (3,5,6), in the transmi' 
9. Terminal according 



•data compressed in accordance wit] 
"I : ',. ' i 
.tompress the data, to re-compress 

'I I ' r I 

seqond scheme, and to include 'the 
I !: s i I 

ileasfcljone of the secondary !da--a s 

11. Terminal [according 

.'ranged to receive messages 'au* 

the secondary data streams 



•iple encrypted elementary 
subset of the elementary data 

any one of claims 1-7, 
include one or more ad- 
bre secondary 

ed secondary data stream (s) • 
|b any one of claims 1-8, 
o receive a primary data 
ded in a first format, to re- 



whejrein the terminal is arranc ed 
stream comprising information encc 

[ f i I 1 | ; 

jiencjode the information I in a! socon'c format, and to include data 

[, comprising the re-encoded information in at least one of the 
H ! " < 1 
^secondary data streams.' 

j 1 . j j 10. Terminal jaccording 

jnal) is arranged to receive a grim. 



■'one o 

jpajy; jterminals (3,5,6) j : which 
spnly| jthpse secondary data str 
ciais' Jo! 5, 6) for which! an aut 



terminal is arranged to transmit 
ams ; to those secondary termi- 
iori;3ation has been received. 



; i 



claim 9, wherein the termi- 
ry data stream comprising 

a first scheme, to de- 
the data in accordance with a 
re -compressed data in at 
reams . 

any one of claims 1-10, ar- 
horasing transmission of at least 



Jo 



to at least one of the secon- 
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' |i 12. Terminal according td any one of claims 1-11, com- 
posing an arrangement for receiving a plurality of different 
entitlement messages, each enabling an authorised receiver to 
dec^yp't an encrypted data stj're^m encrypted according to the key 

jsjchemeL wherein each entitlement message comprises a specif ica- 
ji ■ | j. , I f 

ion pf at least one terminal wheprein the terminal is arranged 



id 



13. Digital data disj 



: (3,5,6) only those entitle- 



o forward to a secondary terminal I 
( ment messages comprising a specification to which the secondary 
Jtierminal (3,5,6) conforms . 



rib 



primary network, a primary datfa transmitter (25,26,27), con 



it 



ion system, comprising a 



inected to the primary network i and 
!' I j ;! " ~ ! || 

lilnf prmation encoded in an encrypt « 

I' I i ' I il ' 

jferypt^d according to a key scHeme,|; through the primary network 
jiih a first format, 



:an 



entitlement message transmitted (25,26,27), arranged to 



jjtrapsrait entitlement messages 

i; | ' ! li i 

"to decrypt the encrypted data 



arranged to transmit 

primary data stream, en- 



anafcjling an authorised receiver 
strejam, 



ft 



;a Secondary network (2) , 
one 6jr more secondary termina 
•©ndarjf network (2), and j 
a primary terminal (1) , connected 
network; (2) , arranged to reLe 
i-the 1 primary data transmitter 



2 5 <work!ancl 



ve 
25, 



,5,6), connected to the sec- 



: to the first and the second 
he encrypted data stream from 
6,27) through the first net- 



to re- transmit at least Bart of the information, 
jl pncoded j in at least one sec,c-njiary jdata stream . in a second for- 

t, to one or more secondary 



I mat, ' differing from the firbtjfo: 



permihals (3,5,6) connectedj tfc th| secondary network (2), 

wherein t the primary terminall |l) i 

i , ij j ' " ! I 

secbr^dary data stream(s) edc 



[scheme and 
j kn J au|tjh£r i 



and to forward receijvej 



I ! 

dafcai, 



tojth'e 1 secondary terminal (s 1 ) 



sed receiver; to decrypt 



14, 



Method of rec 



'comprising: 



) is configured to transmit the 
te| according to the same key 
entitlement messages that enable 



(3,5 



sj.; ring 



; j I i I 

receiving information encoded 



•the secondary data stream (s) 
Is) . 

and re -transmitting digital 



in Li 



in' an encrypted primary data 
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transmitter (25,26,27) throubhj a p: 



receiving entitlement messages!, em bling an authorised receiver 



I 



scheme from a primary 
imary network in a first 



a information, encoded in at 
a second format, differing 



to decrypt the encrypted datja stream, 

■ i 

re -transmitting at least paajt of £ 
least one secondary data stream i 

from che first format ^ to at least! one secondary termi- 
nal, (3,5,6) through a secondary network (2), wherein the 
secondary data stream (s) are transmitted encrypted according to 
jbhe ;1 same key scheme and,' received entitlement messages that en- 
able an authorised receiver :to : decrypt the secondary data 
stream(s) are forwarded to the secondary terminal (s) (3,5,6), 



15* Computer program 



sui 



;able for loading into a ter- 



minal |l) for receiving iand re- tr admitting digital data, 
comprising 



fqr .receiving a data stream from a! 



processor (32) , memory (33 



a f first network adapter (31,36) 



primary transmit - 



network in a first format, an 



teir (25,26,27) through a first 

arrangement for receiving enti':lemJnfc messages, enabling an 
authorised receiver to decrypt an (encrypted data stream, and at 

]j37) for connection to a sec- 
ondary 
way lis 
to! any 



least one further network adapter \ 



network (2), so that ths te-ijminal (1) programmed in this 



provided with the functional 
one of claims 1-12. j 



lity of a terminal according 
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ttioii, comprises a first 



ABSTRAC T 



receiving 
network ac 



primary data stream in which th< 
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■nd re -transmit ting informa- 
pter (31, 36) for receiving 
information has been en- 
scheme from a primary 
rst network in a first for- 



cotied, encrypted according to a to 
transmitter (25,26,2 7) through a 

it a(t [ I 

r ! 

an arrangement for receiving entitlement messages, enabling an 
authorised receiver to decrypt the jencrypted data stream, and 
at [Least one further nefcworlj: adap| sr (37) for connection to a 



jThe terminal is configured to re- 



secondary network (2) 

I I if 

.transmit at least part pf the information in at least one sec- 
ondary data stream in ai second foipriat, differing from the first 
'format, through the secibnd Imetworiij (2) to at least one secon- 
dary terminal (3,5,6) connected tc|j the secondary network (2). 
Thej; terminal is configured tpo trarjpmit the secondary data 

" ie same key scheme and to 
jes that enable an authorised 



jtream(s) encrypted according to 
■forward received entitlement messe 



receiver to decrypt the! secpndaryfeata stream (s) to the secon 



dary terminal (s) (3,5,6). 
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